Managing cyber risks and managing budgets

We generally want our government to produce evidence-based policies (well, sometimes we just want tax breaks); we want to see that the government is implementing legislation on the basis of facts and statistical probabilities. This is a pipe dream, of course, because the reality of the political sphere is that appearances often matter more than actual governance. Instead of a sensible restructuring of the tax code or a more relaxed regulatory environment, we get knee-jerk laws that restrict rather than liberate.

We know that our taxes would be far better used if spent sensibly – if only the government would examine and follow the evidence. It’s not hard to understand that these expenses unnecessarily contribute to deficits, which the government – and the opposition – use to decry the current state of things and justify more knee-jerk laws.

If we did the same in business, we would be fired, and rightly so.

(This isn’t a perfect comparison, of course, because governmental borrowing can actually be a significant economic positive – when managed intelligently.)

Unlike in the political sphere, businesses must justify their spending with calculations of return on investment, which have to be based on clear evidence or well-founded predictions. This is especially true in cyber security, which has long suffered from a systemic failure to appreciate the risks and the scale of damage at stake.

Understand the problem

With cyber risks proliferating at a terrifying rate, we must act to protect ourselves, our information, and, by extension, our clients and partners. It’s irresponsible to leave such things up to fate.

According to the 2015 Information Security Breaches Survey, 44% of both large and small organisations increased their security expenditure in 2015 (compared with 53% and 27% in 2014, respectively). Despite the increase in expenditure, however, 90% of large organisations and 74% of small organisations reported that they had suffered a security breach – up from 81% and 60% a year ago.

It’s nice to imagine that these enlarged security budgets were well-spent, but the evidence doesn’t support this. The truth of cyber crime is that it’s cheap. It costs almost nothing to hire a botnet for a DDoS attack, hacking software and malware is almost free, and finding people willing to jump on board and help out for notoriety or a cut of the profits is readily facilitated by the anonymity of the Internet and, increasingly, the Tor network.

To manage cyber risks, we often need to spend much, much more than our adversaries, which seems utterly unfair. The damage our enemies can inflict, however, can be catastrophic. Ponemon Institute reports that the average cost of a data breach now sits at an astonishing $6.5 million.

So, on balance, we should have enormous security budgets capable of seeing off almost anyone – but that’s frankly ludicrous for most organisations. Instead, facing the realities of business, we must focus our spending wisely, taking advantage of all of the available evidence and walking that fine line between protecting ourselves and being fiscally responsible.

Assess the risks – know your enemy and know yourself

This is why risk assessments are so essential, and why they form the core of ISO 27001, the international standard for information security. Knowing which risks are applicable to which information assets should drive information security management decisions and enable the business to balance expenditure on controls against the business harm likely to result from security failures.

This isn’t the whole of the problem, though. It’s difficult to judge how much damage a cyber risk presents, because information is ephemeral – a computer has a relatively fixed value, but data, which is effectively invisible, can be stolen or lost in vast quantities and in a myriad of configurations. Losing a million post codes probably won’t cost you much, for instance, but losing ten thousand National Insurance numbers definitely will.

An ISO 27001 risk assessment regime focuses on protecting against whole risks, rather than simply protecting the assets. This is an exercise in perspective – protecting an asset from damage or loss is taking an isolationist approach, while protecting a whole range of assets from a single, specific threat unifies your defences, keeping processes consistent and minimising investment requirements.

An effective risk management regime must operate on the basis of good intelligence, both regarding the threats from outside and the value of the organisation’s information assets. Armed with this data, it’s much easier to present solid, evidence-based arguments for suitable budgets and to secure stronger long-term ROI. It’s not just about getting the money, it’s about getting the money to work for you.